Distribution of encrypted information

ABSTRACT

A secure device capable of selectively enabling decryption of units of information is used to provide access to a stream of units of encrypted information. Each unit is linked to a time-stamp. An entitlement management message entitles the secure device to enable decryption of units of information that are linked to time-stamps with values in a specified range. The range has a starting point substantially prior to a current time value of the time stamps distributed concurrent the entitlement message. In an embodiment the stream is distributed to a plurality of subscribers, each with an own secure device. The distance of the starting point to the current time value for each subscriber is selected dependent on subscription information for the subscriber.

The invention relates to a method of distributing encrypted informationand providing conditional access to that information, to a system fordistributing encrypted information and to a secure device for use insuch a system.

From PCT patent application WO98/27732 a conditional access system isknown that uses time-stamps to control a time-interval in which a securedevice is enabled to decrypt information. The system broadcasts a datastream that contains encrypted information and entitlement controlmessages (ECM's). The decryption key needed to decrypt the informationchanges with time. Each time when a new decryption key is needed, thiskey is broadcast in an ECM. The decryption key itself has to bedecrypted from the ECM. This is done in a smart card (or more generallywith a secure device), which contains the necessary decryption key fordecrypting keys from the ECM's. The smart card supplies the decryptedkeys to decoding device, which decrypts the information from the datastream.

Such a conditional access system is conventionally used undercircumstances where subscribers pay for the right to access information.The main example of this is a video signal distribution system such as acable TV system where subscribers pay for the right to view certainchannels. The smart cards of the subscribers that have paid are enabledto supply decrypted keys to the decoding device. To control conditionalaccess the smart card contains entitlement information, which specifiesthe circumstances under which the smart card should decrypt the keys andsupply them to the decoding device. The entitlement information issupplied to the smart card in entitlement management messages (EMM's)with the data stream.

One important requirement of conditional access systems is that theyshould be resistant to tampering to gain unauthorized access. Forexample, decryption of the information is normally limited to a timeperiod for which a subscription fee has been paid. One form of tamperingis the so-called replay attack, in which part of the data stream isstored in a medium for some time and supplied to the smart card and thedecoding device with a delay. Thus, a part of the data stream might bedecoded that is received outside the period in which the smart card isentitled to supply keys to the decoding device.

The system of WO98/27732 describes a mechanism is to counter suchtampering. A the beginning of the subscription period the system sendsan EMM that specifies the start and end of the subscription period, thatis, the time period in which the smart card should supply the keys and,conversely, outside which the smart card should not supply the keys tothe decoding device. Time stamps are added to the ECM's. The time-stampsidentify the time at which each ECM has been broadcast. When an ECM isreceived, the smart card tests whether its time-stamp is in thesubscription period specified by the EMM and supplies the decrypted keysonly if that is the case. Thus, recorded information that has beenreceived outside the subscription period but is supplied to the securedevice during the subscription period cannot be decrypted. Onlyinformation broadcast after the EMM, during the subscription period canbe decrypted.

Amongst others, it is an object of the invention to provide other kindsof selective access or more varied types of selective access tosubscribers of an information distribution system with conditionalaccess.

The method according to the invention is set forth in Claim 1. Accordingto the invention a type of subscription is enable in which subscriberscan subscribe to the opportunity to view stored information which hasbeen broadcast in the past.

According to the invention the entitlement management message specifiesa range of time values for which decryption of parts of the data streamis enabled. The range extends substantially into the past from thecurrent time (substantially meaning sufficiently far into the past tocontain for example at least a television program or a meaningful partof such a program, say at least one or more hours, days or weeks) andallows decryption of information that has been stored afterdistribution, so that the time stamps linked to the information do notsubstantially correspond to the current time (even allowing fortransmission delays). As used herein the current time may include thedate and time of day. The current corresponds to the time values of timestamps linked to the information units when the information units aredistributed.

As a result the entitlement management message enables decryption ofparts of the data stream that have been transmitted in that time periodprior. That is, a secure device is enabled to supply decryption keys forstored information that has been received not more than the specifiedperiod before the current date and time. Thus, the subscriber is enabledto view time-shifted information, but only if the time shift is not toolarge.

This allows the service provider to sell services with different servicelevels, having a longer or shorter sliding window. For example, in oneembodiment individual subscribers might opt for different service levelswith time ranges that extend increasingly longer into the past, atincreasingly higher subscription fees. Or conversely, for example forsports games, the subscription fee might be lower as the sliding windowends further back in the past. As a result a single broadcast of thegame could be stored by different users that are allowed to view thegame with different delays, according to their subscription. Thus, thereis no need to rebroadcast the game for each group of users. Theentitlement may extend to all information broadcast during the timerange, or, alternatively, different entitlements to different ranges maybe sent for different parts of the stream (for example for differenttelevision programs), or entitlements in the past may be sent only forsome parts of the stream.

In a further embodiment, the time range slides with the current time,i.e. the start of the time range is kept at a predetermined distancebefore the current time and advances with the current time. This can berealized for example by regularly sending updates to the secure deviceto update the range, or by maintaining an advancing current time valuein the secure device and testing the values of the time stamps relativeto that current time value.

Preferably, the sliding window is also associated with some absolutetime, so as to define a maximum time value to which the window canslide. This can be realized for example by including such a maximum timevalue in the entitlement management message that entitles the securedevice to enable decryption in the sliding window. In this case, thesecure device not only compares the time stamp from the data stream withthe bounds of the window, but also with the maximum time value, and/orit compares the maximum time value with current date and time, beforeenabling decryption. In another example, this can be realized by linkingrenewal of other entitlement information (for example entitlement toview information during a coming subscription period) to an instructionto invalidate the sliding window if the subscriber has not paid for thesliding window.

In another embodiment the invention allows a subscription in which asubscriber can retroactively buy the right to decrypt informationreceived during a fixed period (not sliding along with current time)ending at a time substantially prior to buying that right. In responseto such an addition to the subscription an additional entitlementmanagement message is sent to enable the subscriber to view informationfrom parts of the data stream that he or she has stored in a medium inthe fixed period. The period that starts and preferably also ends atpredetermined times in the past.

Thus for example, after a holiday the subscriber can buy the right toview any content such as a television program or movie that has beenbroadcast during the holiday. The program need not be rebroadcast whenthe subscriber buys such an entitlement, since the entitlement enablesthe subscriber to use stored information.

These and other objects and advantageous aspects of the method andsystem according to the invention will be described in more detail usingthe following figures.

FIG. 1 shows an information distribution system

FIG. 2 shows an entitlement time-range

FIG. 3 shows a further entitlement time range.

FIG. 1 shows an information distribution system. The system contains asource 10 of an encrypted media stream, a subscription management unit11, a conditional access apparatus 12, a storage device 16 (for examplea magnetic or optical disk or a tape recorder) and a further receivingsystem 19. The subscription management unit 11 has an output coupled tothe source 10. The source 10 has an output coupled to the conditionalaccess apparatus 12, the storage device 16 and the further receivingsystem. The storage device 16 has an output coupled to the conditionalaccess apparatus 12. Further receiving system 19 may contain any numberof structures similar to the combination of conditional access apparatus12 and storage device.

The conditional access apparatus 12 contains a receiving section 120, acontent decoder 122, a rendering device 18 and a secure device 14 (forexample a smart card). The receiving section 120 receives inputs fromthe source 10 and the storage device 16 and has an output for encryptedcontent coupled to the content decoder 122, and outputs for encryptioncontrol messages (ECM's) and encryption management messages (EMM's)coupled to secure device 14 (although shown separately, the latteroutputs may in fact be combined into a single output). The secure device14 has an output coupled to a key input of decoder 122. Decoder 122 hasan output for decrypted content coupled to rendering device 18.

Secure device 14 contains a decryption unit 140, a management unit 142and optionally time value storage 144. Decryption unit 140 has an inputcoupled to the output for ECM's of the receiving section and an outputcoupled to the key input of decoder 122. Decryption unit 140 also has anoutput for time stamps coupled to management unit 142. Management unit142 has an input coupled to the output for EMM's of the receivingsection 120. Furthermore management unit 142 has inputs and outputscoupled to optional time value storage 144. Separate inputs are shownfor EMM's and ECM's but of course these may be supplied via a singleinput and processed separately in the secure device 14.

In operation, source 10 transmits one or more streams of encrypted mediainformation (for example video and/or audio information). Each streamcontains encrypted content, encryption control messages (ECM's) andencryption management messages (EMM's). The bandwidth requirements forthese items differs widely: the content may require a permanentbandwidth of several megabits per second, whereas ECM's may require lessthan a kilobit and are transmitted, say, only once every minute. EMM'sare transmitted even less frequently, say, once per hour. The encryptioncontrol messages contain keys for decrypting the encrypted content.These keys themselves are also encrypted. The encryption controlmessages preferably also contain time stamps. These time stamps may beencrypted, but this is not necessary. It suffices that they areauthorized, i.e. encoded in such a way that it can be verified thatreasonably only the source could have supplied the time-stamps and thatan ECM is associated with a specific time stamp.

Conditional access apparatus 12 receives at least one of the streams.Receiving section 120 passes encrypted content from this stream todecoder 122. Receiving section 120 passes ECM's and EMM's from thestream to secured device 14. Secure device 14 decrypts keys from theECM's and conditionally supplies them to decoder 122. With the keys,decoder 122 decrypts the content and supplies the decrypted content torendering device 18, which contains for example a display screen and ora loudspeaker and which renders the content so that the content can beperceived by the user of the system.

Optionally time value storage 144 maintains a time value indicative ofthe date and the time of day. The time value in time value storage 144is regularly updated. This may be done by a clock circuit (not shown) insecure device 14 or by management unit 142, for example each time whenan ECM is received (or each time a predetermined number of ECM's hasbeen received).

Any number of conditional access apparatuses such as conditional accessapparatus 12, as contained in further receiving system 19 may receivethe streams.

Source 10 transmits EMM's to secure device 14 to specify which keyssecure device may supply to the decoder and when. In principle, each ofthe EMM's is directed at only one secure device 14, for example byincluding an identifier in the EMM that is unique to the secure device14 and arranging the secure device to process only EMM's that have theidentifier corresponding to the secure device 14. The EMM's aredistinguished from the ECM's in that they are transmitted lessfrequently (because they do not need to supply keys for the encryptedcontent) and in that they contain management information, for example toset the type and times content for which the secure device 14 isentitled to supply keys. Thus, the EMM's are essential for controllingthe conditions of access, but not directly for providing access.

Secure device 14 checks whether it is entitled to supply the keys todecoder 122. At least for some of the keys entitlement depends on time.To enforce this management unit 142 can make use of entitlementinformation received from source 10. In a simple form of time dependententitlement for example, management unit 142 compares the time valuefrom time stamp with a range of time-values specified in an EMM. Thus,for example, keys may be supplied only in periods for which the user haspaid.

FIG. 2 shows an entitlement time range according to the invention. Dateand time of day (jointly referred to as “time of day” or “t”) areplotted horizontally. An arrow indicates current time of day Tc, i.e.the time value of the time stamp broadcast at the time by source 10. Arange 20 of time values with a start time 21 and an end time 22 is shownfor which the secure device 14 is entitled to supply keys.

FIG. 3 shows a similar entitlement range, wherein the time-range endsbefore the current time of day Tc.

By way of illustration FIG. 2 also shows a storage time interval 26,starting from a storage time 28 and lasting until the current time ofday Tc. When information received from source 10 is stored in storagedevice 16 at storage time 28 and replayed to secure device 14 at thecurrent time of day Tc the time stamps from ECM's in the replayedinformation correspond to storage time 28 not to current time of day Tc.Management unit 24 will enable decryption unit 140 to supply the keyfrom the ECM to decoder 122 nevertheless, as long as the time stampcorresponds to a time value within the time interval relative to Tcspecified by T1, T2.

Source 10 specifies the range 20 by sending secure device 14 an EMM witha code indicating that an entitlement time-range 20 extending into thepast is to be used. In response, management unit 142 stores informationfrom this EMM (for example in the form of specific start and end times,or indirectly for example in terms of a starting point and a duration ofthe time range 20, or just a starting point, or with codes referring topredetermined durations and/or lengths stored in management unit 142).Subsequently, when management unit 142 receives a time-stamp from anECM, management unit 142 compares this time stamp with specified range.If the time stamp is in the range management unit 142 enables decryptionunit 140 to supply the decrypted key to decoder 122.

In an embodiment the range may be defined relative to the current timeof day Tc maintained in time value storage 144. In this case the rangelasts from a start point 21 at a time Tc-L1 preceding the current timeof day Tc by the length L1 (for example a day) of a first time intervalto an end time 22 at a time Tc-L2, preceding or following the currenttime of day Tc by the length of a second time of day (in the example ofFIG. 2 L2 is slightly greater than zero). In this case management unit142 computes for example whether the difference between the time stampand the current time of day is between L1 and L2, to determine whetherthe time stamp is within the specified range relative to the currenttime of day Tc. If so management unit 142 enables decryption unit 140 tosupply the decrypted key to decoder 122.

Thus a sliding window for time stamps is realized for which decryptionis enabled. Alternatively such a sliding window may be realized byregularly transmitting new EMM's to update a fixed window in securedevice 14 as time progresses during a single subscription.

Subscription management unit 11 selects the time range specified by theEMM's dependent on reception of information about payment of asubscription fee for a particular type of time interval. Subscriptionmanagement unit 11 is implemented for example as a suitably programmedconventional computer, with a database of subscriber information that isupdated by means of payment information and subsequently consulted tocontrol the content of EMM's. When subscription management unit 11 hasreceived information that a subscriber has paid a fee for a time-rangethat extends a certain length L1 into the past, subscription managementunit 11 causes source 10 to transmit an EMM entitling the secure device14 of that subscriber to supply keys to decoder 122 for decodinginformation that has been stored for some time. Both the length of thetime range and its extent into the past may depend on the fee paid.

Subscription management unit 11 manages subscription information for aplurality of subscribers. The extent into the past of the range of timevalues for which decryption can be enabled can be set individually fordifferent subscribers, dependent on the type of subscription to whicheach subscriber is entitled. Thus, EMM's that are directed at differentsubscribers (for example by specifying different ID)'s in the EMM's, sothat each EMM will be processed only by the secure device correspondingto the ID), may specify different extents into the past, dependent onthe subscription.

In a further embodiment, the time range 20 can be selected to start andend at predetermined start and end times 21, 22 independent of thecurrent time of day Tc. When subscription management unit 11 receives asignal indicating that a subscriber has paid for such an entitlement itsends an EMM to this effect to the secure device 14 of the relevantsubscriber.

Thus a subscriber that wants to view past information stored in storagedevice 16 for which the subscriber has no entitlement, could receive anEMM specifying that the subscriber is entitled to view the storedinformation on the basis of the time at which the information wastransmitted (i.e. the time stamps in the ECM's associated with theinformation). This should be contrasted with entitling the subscriber todecrypt a certain piece of information by specifically identifying thatinformation in the EMM. Thus, for example a TV subscriber that has beenon holiday for some time could be given the right to view TV programsfrom the holiday period, without having to specify individual programs.

It will be understood that the invention applies to any system thatdistributes a stream of information units and provides access on a timedependent basis. For example, the invention is not limited to a systemthat transmits encrypted information and entitlement messages over thesame connection as shown in FIG. 1. Similarly, the mechanism using ECM'sand EMM's is show only by way of example: other ways of providingdecryption keys may be used.

1. A method of distributing units of encrypted information and providingconditional access to the units, using a secure device (14) capable ofselectively enabling decryption of said units, the method comprisingdistributing a stream comprising the units of information successively,each linked to a respective time-stamp; sending an entitlementmanagement message to the secure device (14), the entitlement messageincluding a specification of a range (21, 22) of time-stamp values andentitling the secure device (14) to enable decryption of units ofinformation that are linked to time-stamps with values in that range(21, 22), wherein the range (21, 22) has a starting point (21)substantially prior to a time value (24) of the time stamps distributedconcurrent the entitlement message.
 2. A method according to claim 1,wherein the stream is distributed to a plurality of subscribers, eachwith an own secure device (14) and wherein the entitlement managementmessage is one of a plurality of respective entitlement managementmessages, each sent receivable for the secure device (14) of arespective one of the subscribers, each entitlement management messageincluding a specification of a respective range of time-stamp values(21, 22), the method comprising receiving subscriber dependentsubscription information; setting a distance of said starting point (21)to said time value in each of the respective ranges (21, 22) accordingto a respective distance value and selecting each respective distancevalue from a set of two or more distance values, dependent on thesubscription information for the subscriber for whose secure device (14)the entitlement management message is receivable.
 3. A method accordingto claim 1, wherein the entitlement management message is one of aseries of successive ones entitlement management messages, eachspecifying its own range (21, 22) so that said range slides with time sothat the starting point substantially has a time independent distance tosaid time value (24).
 4. A method according to claim 1, wherein thesecure device (14) maintains and updates a current time valuecorresponding to the time values of the time stamps as they aredistributed as a function of time, the secure device (14) adjusting saidstarting point to a time independent distance before the current timevalue, the secure device (14) deriving the time independent distancefrom said one of the entitlement management unit (24) at least for aseries of successive current time values.
 5. A method according to claim1, wherein the range (21, 22) ends substantially before the time valueof the time stamps distributed concurrent with said one of theentitlement messages.
 6. A method according to claim 2, the subscriptioninformation comprising, for one of the subscribers, a selection of afurther range (30, 32) ending substantially prior to the time value (24)of the time stamps distributed at a time of receiving said selection,the method comprising sending a further entitlement management messagein addition to said entitlement messages, the further entitlementmanagement specifying the further range (30, 32) and entitling thesecure device (14) to enable decryption of units of information that arelinked to time-stamps with values in that further range (30, 32).
 7. Aninformation distribution system that provides conditional access tounits of encrypted information, the system comprising an informationdistribution device (10) arranged to distribute a stream of successiveunits of encrypted information, each linked to a respective time-stampat least one information receiving device (12, 19) arranged to receivethe stream a secure device (14) coupled to the at least one informationreceiving device (12, 19), for selectively enabling decryption of theunits under control of an entitlement management message including aspecification of a range (21, 22) of time-stamp values and entitling thesecure device (14) to enable decryption of units of information that arelinked to time-stamps with values in that range (21, 22); theinformation distribution device (10) being arranged to send theentitlement message so that the range (21, 22) has a starting pointsubstantially prior to a time value (24) of the time stamps distributedconcurrent with the entitlement message.
 8. A system according to claim7, the system comprising a plurality of secure devices (14, in 19), eachfor a respective subscriber, wherein the entitlement management messageis one of a plurality of respective entitlement management messages,each sent receivable for a respective one of the secure devices (14, in19), each of the entitlement management messages including aspecification of a respective range of time-stamp values (21, 22), andwherein the information distribution device (10) has an input forreceiving subscriber dependent subscription information; means (11) forsetting a distance of said starting point to said time value in each ofthe respective ranges according to a respective distance value, themeans (11) selecting each respective distance value from a set of two ormore distance values, dependent on the subscription information for thesubscriber for whose secure device the entitlement management message isreceivable.
 9. A secure device (12) for use in an informationdistribution system that provides conditional access to a stream ofinformation units linked to time stamps, the secure device comprising aninput for receiving entitlement management messages; a memory (144) formaintaining a current time count; a management unit (142) forselectively enabling decryption of the information units under controlof the entitlement management messages, the management unit (142) beingarranged to implement one of the entitlement management messages thatincludes a specification of a range of time-stamp values linked to unitsof information, for which the secure device (14) has to enabledecryption, wherein the extending substantially prior to the currenttime count.
 10. An information distribution device (10, 11) arranged todistribute a stream of successive units of encrypted information to asecure device (14), each unit linked to a respective time-stamp, thedevice having a transmitting unit (10) for transmitting an entitlementmanagement message including a specification of a range (21, 22) oftime-stamp values and entitling the secure device (14) to enabledecryption of units of information that are linked to time-stamps withvalues in that range (21, 22) so that the range has a starting point(21) substantially prior to a time value (24) of the time stampsdistributed concurrent with the entitlement message.
 11. An informationdistribution device according to claim 10, arranged to distribute thestream to a plurality of subscribers, each having a respective securedevice, the entitlement management message being one of a plurality ofentitlement management messages for reception by respective ones of thesecure devices, each entitlement management message specifying arespective range of time-stamp values, the device having an input forreceiving subscriber dependent subscription information; means (11) forsetting a distance of said starting point to said time value in each ofthe respective ranges according to a respective distance value, themeans (11) selecting each respective distance value from a set of two ormore distance values, dependent on the subscription information for thesubscriber for whose secure device (14) the entitlement managementmessage is receivable.